mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-20 09:17:25 +00:00
Update Windows Hello for Business configuration with group policy
This commit is contained in:
Paolo Matarazzo
parent
eea61a40e3
commit
3db0158ba3
@ -98,16 +98,23 @@ You may need to update your Group Policy definitions to be able to configure the
|
||||
|
||||
You can also create a Group Policy Central Store and copy them their respective language folder. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows][TS-1].
|
||||
|
||||
#### Create the Windows Hello for Business group policy object
|
||||
### Configure the Windows Hello for Business with group policy
|
||||
|
||||
You can configure Windows Hello for Business cloud Kerberos trust using a Group Policy Object (GPO).
|
||||
[!INCLUDE [gpo-settings-1](../../../../../includes/configure/gpo-settings-1.md)]
|
||||
|
||||
1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer objects in Active Directory.
|
||||
1. Edit the Group Policy object from Step 1.
|
||||
1. Expand **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**.
|
||||
1. Select **Use Windows Hello for Business** > **Enable** > **OK**.
|
||||
1. Select **Use cloud Kerberos trust for on-premises authentication** > **Enable** > **OK**.
|
||||
1. Optional, but recommended: select **Use a hardware security device** > **Enable** > **OK**.
|
||||
| Group policy path | Group policy setting | Value |
|
||||
| - | - | - |
|
||||
| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use Windows Hello for Business| **Enabled**|
|
||||
| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use cloud Kerberos trust for on-premises authentication| **Enabled**|
|
||||
| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**|
|
||||
|
||||
> [!NOTE]
|
||||
> The enablement of the *Use a hardware security device* policy setting is optional, but recommended.
|
||||
|
||||
[!INCLUDE [gpo-settings-2](../../../../../includes/configure/gpo-settings-2.md)]
|
||||
|
||||
> [!TIP]
|
||||
> The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all security principals. The security group filtering ensures that only the members of the global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business.
|
||||
|
||||
---
|
||||
|
||||
@ -138,9 +145,9 @@ Once a user completes enrollment with cloud Kerberos trust, the Windows Hello ge
|
||||
|
||||
If you deployed Windows Hello for Business using the key trust model, and want to migrate to the cloud Kerberos trust model, follow these steps:
|
||||
|
||||
1. [Set up Microsoft Entra Kerberos in your hybrid environment](#deploy-microsoft-entra-kerberos).
|
||||
1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy).
|
||||
1. For Microsoft Entra joined devices, sign out and sign in to the device using Windows Hello for Business.
|
||||
1. [Set up Microsoft Entra Kerberos in your hybrid environment](#deploy-microsoft-entra-kerberos)
|
||||
1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy-settings)
|
||||
1. For Microsoft Entra joined devices, sign out and sign in to the device using Windows Hello for Business
|
||||
|
||||
> [!NOTE]
|
||||
> For Microsoft Entra hybrid joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.
|
||||
@ -152,11 +159,11 @@ If you deployed Windows Hello for Business using the key trust model, and want t
|
||||
|
||||
If you deployed Windows Hello for Business using the certificate trust model, and want to use the cloud Kerberos trust model, you must redeploy Windows Hello for Business by following these steps:
|
||||
|
||||
1. Disable the certificate trust policy.
|
||||
1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy).
|
||||
1. Remove the certificate trust credential using the command `certutil -deletehellocontainer` from the user context.
|
||||
1. Sign out and sign back in.
|
||||
1. Provision Windows Hello for Business using a method of your choice.
|
||||
1. Disable the certificate trust policy
|
||||
1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy-settings)
|
||||
1. Remove the certificate trust credential using the command `certutil.exe -deletehellocontainer` from the user context
|
||||
1. Sign out and sign back in
|
||||
1. Provision Windows Hello for Business using a method of your choice
|
||||
|
||||
> [!NOTE]
|
||||
> For Microsoft Entra hybrid joined devices, users must perform the first sign-in with new credentials while having line of sight to a DC.
|
||||
@ -175,18 +182,9 @@ The following scenarios aren't supported using Windows Hello for Business cloud
|
||||
|
||||
<!--Links-->
|
||||
|
||||
[ENTRA-1]: /entra/identity/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azureadhybridauthenticationmanagement-module
|
||||
[AZ-3]: /azure/active-directory/fundamentals/how-to-find-tenant
|
||||
[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
|
||||
|
||||
[SERV-1]: /windows-server/administration/performance-tuning/role/active-directory-server/capacity-planning-for-active-directory-domain-services
|
||||
|
||||
[TS-1]: /troubleshoot/windows-client/group-policy/create-and-manage-central-store
|
||||
|
||||
[MEM-1]: /mem/intune/protect/identity-protection-windows-settings
|
||||
[MEM-3]: /mem/intune/configuration/custom-settings-configure
|
||||
[MEM-4]: /windows/client-management/mdm/passportforwork-csp
|
||||
[MEM-5]: /mem/intune/protect/endpoint-security-account-protection-policy
|
||||
[MEM-6]: /mem/intune/protect/identity-protection-configure
|
||||
|
||||
[CSP-1]: /windows/client-management/mdm/passportforwork-csp
|
||||
[ENTRA-1]: /entra/identity/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azureadhybridauthenticationmanagement-module
|
||||
[MEM-3]: /mem/intune/configuration/custom-settings-configure
|
||||
[SERV-1]: /windows-server/administration/performance-tuning/role/active-directory-server/capacity-planning-for-active-directory-domain-services
|
||||
[TS-1]: /troubleshoot/windows-client/group-policy/create-and-manage-central-store
|
||||
|
||||
@ -23,50 +23,27 @@ If the Intune tenant-wide policy is enabled and configured to your needs, you ca
|
||||
|
||||
[!INCLUDE [gpo-enable-whfb](includes/gpo-enable-whfb.md)]
|
||||
|
||||
### Enable and configure Windows Hello for Business
|
||||
### Configure the Windows Hello for Business with group policy
|
||||
|
||||
Sign-in a domain controller or management workstations with *Domain Admin* equivalent credentials.
|
||||
[!INCLUDE [gpo-settings-1](../../../../../includes/configure/gpo-settings-1.md)]
|
||||
|
||||
1. Start the **Group Policy Management Console** (gpmc.msc)
|
||||
1. Expand the domain and select the **Group Policy Object** node in the navigation pane
|
||||
1. Right-click **Group Policy object** and select **New**
|
||||
1. Type *Enable Windows Hello for Business* in the name box and select **OK**
|
||||
1. In the content pane, right-click the **Enable Windows Hello for Business** group policy object and select **Edit**
|
||||
1. In the navigation pane, expand **Policies** under **User Configuration**
|
||||
1. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**
|
||||
1. In the content pane, open **Use Windows Hello for Business**. Select **Enable > OK**
|
||||
1. Close the **Group Policy Management Editor**
|
||||
| Group policy path | Group policy setting | Value |
|
||||
| - | - | - |
|
||||
| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use Windows Hello for Business| **Enabled**|
|
||||
| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**|
|
||||
|
||||
> [!NOTE]
|
||||
> Windows Hello for Business can be configured using different policies. These policies are optional to configure, but it's recommended to enable *Use a hardware security device*.
|
||||
>
|
||||
> For more information about these policies, see [Configure Windows Hello for Business](../configure.md).
|
||||
> The enablement of the *Use a hardware security device* policy setting is optional, but recommended.
|
||||
|
||||
### Configure security for GPO
|
||||
[!INCLUDE [gpo-settings-2](../../../../../includes/configure/gpo-settings-2.md)]
|
||||
|
||||
The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout.
|
||||
|
||||
1. Start the **Group Policy Management Console** (gpmc.msc)
|
||||
1. Expand the domain and select the **Group Policy Object** node in the navigation pane
|
||||
1. Open the **Enable Windows Hello for Business** GPO
|
||||
1. In the **Security Filtering** section of the content pane, select **Add**. Type the name of the security group you previously created (for example, *Windows Hello for Business Users*) and select **OK**
|
||||
1. Select the **Delegation** tab. Select **Authenticated Users > Advanced**
|
||||
1. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Select **OK**
|
||||
|
||||
### Deploy the Windows Hello for Business Group Policy object
|
||||
|
||||
The application of Group Policy object uses security group filtering. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all users. The security group filtering ensures that only the members of the *Windows Hello for Business Users* global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business.
|
||||
|
||||
1. Start the **Group Policy Management Console** (gpmc.msc)
|
||||
1. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO**
|
||||
1. In the **Select GPO** dialog box, select *Enable Windows Hello for Business* or the name of the Windows Hello for Business Group Policy object you previously created and select **OK**
|
||||
|
||||
### Add members to the targeted group
|
||||
|
||||
Users (or devices) must receive the Windows Hello for Business group policy settings and have the proper permission to provision Windows Hello for Business. You can provide users with these settings and permissions by adding members to the *Windows Hello for Business Users* group. Users and groups who aren't members of this group won't attempt to enroll for Windows Hello for Business.
|
||||
> [!TIP]
|
||||
> The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all security principals. The security group filtering ensures that only the members of the global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business.
|
||||
|
||||
---
|
||||
|
||||
Additional policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see [Windows Hello for Business policy settings](../policy-settings.md).
|
||||
|
||||
## Enroll in Windows Hello for Business
|
||||
|
||||
The Windows Hello for Business provisioning process begins immediately after the user profile is loaded and before the user receives their desktop. For the provisioning process to begin, all prerequisite checks must pass.
|
||||
|
||||
@ -8,7 +8,7 @@ For Microsoft Entra hybrid joined devices, you can use group policies to configu
|
||||
> [!TIP]
|
||||
> Create a security group (for example, *Windows Hello for Business users* or *Windows Hello for Business devices*) to make it easy to deploy Windows Hello for Business in phases. You assign **Group Policy permissions** to this group to simplify the deployment by adding the users or devices to the groups.
|
||||
|
||||
The *Enable Windows Hello for Business* policy setting is the configuration needed for Windows to determine if a user should attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to **enabled**.\
|
||||
The *Enable Windows Hello for Business* policy setting is the configuration needed for Windows to determine if a user should attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is **enabled**.\
|
||||
You can configure the *Enable Windows Hello for Business* setting for computer or users:
|
||||
|
||||
- Deploying this policy setting to computers (or group of computers) results in all users that sign-in that computer to attempt a Windows Hello for Business enrollment
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user